Package org.springframework.security.acls.afterinvocation

Class AclEntryAfterInvocationCollectionFilteringProvider

java.lang.Object

org.springframework.security.acls.afterinvocation.AbstractAclProvider

org.springframework.security.acls.afterinvocation.AclEntryAfterInvocationCollectionFilteringProvider

All Implemented Interfaces:

org.springframework.security.access.AfterInvocationProvider

public class AclEntryAfterInvocationCollectionFilteringProvider
extends AbstractAclProvider

Given a Collection of domain object instances returned from a secure object invocation, remove any Collection elements the principal does not have appropriate permission to access as defined by the AclService.

The AclService is used to retrieve the access control list (ACL) permissions associated with each Collection domain object instance element for the current Authentication object.

This after invocation provider will fire if any ConfigAttribute.getAttribute() matches the AbstractAclProvider.processConfigAttribute. The provider will then lookup the ACLs from the AclService and ensure the principal is Acl.isGranted() when presenting the AbstractAclProvider.requirePermission array to that method.

If the principal does not have permission, that element will not be included in the returned Collection.

Often users will setup a BasicAclEntryAfterInvocationProvider with a AbstractAclProvider.processConfigAttribute of AFTER_ACL_COLLECTION_READ and a AbstractAclProvider.requirePermission of BasePermission.READ. These are also the defaults.

If the provided returnObject is null, a null Collection will be returned. If the provided returnObject is not a Collection, an AuthorizationServiceException will be thrown.

All comparisons and prefixes are case sensitive.

Field Summary

Fields

Modifier and Type	Field	Description
protected static org.apache.commons.logging.Log	logger

Fields inherited from class org.springframework.security.acls.afterinvocation.AbstractAclProvider

aclService, objectIdentityRetrievalStrategy, processConfigAttribute, processDomainObjectClass, requirePermission, sidRetrievalStrategy

Constructor Summary

Constructors

Constructor	Description
AclEntryAfterInvocationCollectionFilteringProvider(AclService aclService, java.util.List<Permission> requirePermission)

Method Summary

Modifier and Type	Method	Description
java.lang.Object	decide(org.springframework.security.core.Authentication authentication, java.lang.Object object, java.util.Collection<org.springframework.security.access.ConfigAttribute> config, java.lang.Object returnedObject)

Methods inherited from class org.springframework.security.acls.afterinvocation.AbstractAclProvider

getProcessDomainObjectClass, hasPermission, setObjectIdentityRetrievalStrategy, setProcessConfigAttribute, setProcessDomainObjectClass, setSidRetrievalStrategy, supports, supports

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

logger

protected static final org.apache.commons.logging.Log logger

Constructor Detail

AclEntryAfterInvocationCollectionFilteringProvider

public AclEntryAfterInvocationCollectionFilteringProvider(AclService aclService,
                                                          java.util.List<Permission> requirePermission)

Method Detail

decide

public java.lang.Object decide(org.springframework.security.core.Authentication authentication,
                               java.lang.Object object,
                               java.util.Collection<org.springframework.security.access.ConfigAttribute> config,
                               java.lang.Object returnedObject)
                        throws org.springframework.security.access.AccessDeniedException

Throws:

org.springframework.security.access.AccessDeniedException